b"Audit Report\n\n\n\n\nOIG-13-036\nTERRORIST FINANCING/MONEY LAUNDERING: FinCEN\xe2\x80\x99s BSA\nIT Modernization Program Met Milestones with Schedule\nExtensions\nMarch 28, 2013\n\n\n\n\nOffice of\nInspector General\nDepartment of the Treasury\n\x0cThis Page Intentionally Left Blank.\n\x0cContents\n\nAudit Report\n\n  Results in Brief ............................................................................................ 3\n\n  Findings ..................................................................................................... 5\n\n      Major Milestones for BSA IT Mod Continued to Be Met and the Program\n      Was Within Budgeted Costs ..................................................................... 5\n\n      BSA IT Mod Project Performance Testing Was Mostly Successful ................. 11\n\n      Oversight of BSA IT Mod Continued ......................................................... 14\n\nAppendices\n\n  Appendix     1:      Objectives, Scope, and Methodology ......................................              18\n  Appendix     2:      Corrective Actions to Prior Audit Recommendations..................                    21\n  Appendix     3:      Additional Background Information on BSA IT Mod ...................                    22\n  Appendix     4:      Management Response .........................................................          27\n  Appendix     5:      Major Contributors to this Report ............................................         29\n  Appendix     6:      Report Distribution ................................................................   30\n\nAbbreviations\n\n  BCR                  baseline change request\n  BSA                  Bank Secrecy Act\n  BSA Direct           BSA Direct Retrieval and Sharing\n  BSA IT Mod           BSA Information Technology Modernization Program\n  CIO                  Chief Information Officer\n  EVM                  earned value management\n  FinCEN               Financial Crimes Enforcement Network\n  H. Rept.             House Report\n  IRS                  Internal Revenue Service\n  IT                   Information Technology\n  MITRE                MITRE Corporation\n  OCIO                 Office of the Chief Information Officer\n  OIG                  Office of Inspector General\n  PMO                  Project Management Office\n  SOR                  system of record\n  TEOAF                Treasury Executive Office of Asset Forfeiture\n  WebCBRS              Web-based Currency and Banking Retrieval System\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                           Page i\n                       Schedule Extensions (OIG-13-036)\n\x0c                                                                                      Audit\nOIG\nThe Department of the Treasury\n                                                                                      Report\nOffice of Inspector General\n\n\n\n\n                       March 28, 2013\n\n                       Jennifer Shasky Calvery, Director\n                       Financial Crimes Enforcement Network\n\n                       Robyn East, Chief Information Officer\n                       Department of the Treasury\n\n                       The Financial Crimes Enforcement Network (FinCEN)\n                       administers the Bank Secrecy Act (BSA), which established\n                       the framework to combat criminal use of the financial\n                       system. BSA requires financial institutions to report certain\n                       financial transactions made by their customers. FinCEN\n                       oversees the management, processing, storage, and\n                       dissemination of BSA data.\n\n                       In November 2006, FinCEN began a system development\n                       effort, the BSA Information Technology Modernization\n                       Program (BSA IT Mod), to improve the collection, analysis,\n                       and sharing of BSA data. The intent of the system was,\n                       among other things, to transition BSA data from the Internal\n                       Revenue Service (IRS) to FinCEN. BSA IT Mod is estimated\n                       to cost $120 million and is to be completed in 2014.\n\n                       Pursuant to a Congressional directive, we conducted the\n                       third in a series of audits of FinCEN\xe2\x80\x99s BSA IT Mod. 1\n                       Consistent with the Congressional directive, the objectives\n                       of the audit were to determine if FinCEN is (1) meeting cost,\n                       schedule, and performance benchmarks for the program and\n\n1\n House Report (H. Rept.) 112-331 directed our office to report on BSA IT Mod, including\ncontractor oversight and progress regarding budget and schedule, semiannually. Our first report\nunder this requirement was due March 31, 2012, and was issued on March 26, 2012.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                  Page 1\n                       Schedule Extensions (OIG-13-036)\n\x0c                       (2) providing appropriate oversight of contractors. We also\n                       assessed Treasury\xe2\x80\x99s Office of the Chief Information Officer\n                       (Treasury OCIO) oversight of the program. The period\n                       covered by this audit was June 2012 through December\n                       2012. We interviewed FinCEN program officials, Treasury\n                       OCIO officials, and representatives from IRS involved with\n                       the program. We interviewed representatives from Deloitte\n                       Consulting, LLP (Deloitte) and MITRE Corporation (MITRE),\n                       the contractors involved with the program. 2 We also\n                       reviewed applicable program documentation. We performed\n                       our fieldwork from October 2012 through February 2013.\n                       Appendix 1 provides a more detailed description of our audit\n                       objectives, scope, and methodology.\n\n                       In September 2012, we reported on FinCEN\xe2\x80\x99s BSA IT Mod\n                       as of May 2012. 3 We found that the program was on\n                       schedule and within budgeted cost. Development of the\n                       program met all major scheduled milestones, though the\n                       planned completion dates for certain projects were extended.\n                       During that time, FinCEN also became the authoritative\n\n2\n  FinCEN contracted with Deloitte to oversee the systems development and integration effort.\nDeloitte is the prime contractor in the BSA IT Mod effort. MITRE is a not-for-profit organization\nchartered to work in the public interest with expertise in systems engineering, information\ntechnology, operational concepts, and enterprise modernization. FinCEN engaged MITRE as a\nsubject matter expert on program and project management and BSA IT Mod business\ncapabilities.\n3\n  Treasury Office of Inspector General (OIG), FinCEN\xe2\x80\x99s BSA IT Modernization Program Is Meeting\nMilestones, But Oversight Remains Crucial (OIG-12-077; Sep. 27, 2012). This September 2012\nreport was our second report on the BSA IT Mod program. Our first report was titled Terrorist\nFinancing/Money Laundering: FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on Schedule and\nWithin Cost, But Requires Continued Attention to Ensure Successful Completion (OIG-12-047;\nMar. 26, 2012). As discussed in that first report, we found that as of May 2011, BSA IT Mod\nwas generally within scheduled milestones though certain projects had been delayed by more\nthan the 10 percent of schedule. We also concluded that FinCEN prepared a credible business\ncase before beginning development of BSA IT Mod but did not report $11.2 million of planning\ncosts. We did report on two matters of concern. As one concern, the successful and timely\ncompletion of BSA IT Mod was, in part, dependent on the successful completion of the system\nof record (SOR). The SOR was the information storage system for BSA data. FinCEN had at the\ntime of our first audit extended the SOR\xe2\x80\x99s completion date because of complexities encountered\nduring its development. As a second concern, we reported that certain IRS users had expressed\nconcerns over the potential impact to their operations as they transitioned from being a supplier\nof BSA data to being a receiver of BSA data. As of our second audit, we found that these two\nconcerns had been addressed as discussed further in Appendix 2.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                    Page 2\n                       Schedule Extensions (OIG-13-036)\n\x0c               source for BSA data when it transitioned the collection,\n               processing, and storage of all BSA data from IRS in January\n               2012. Additionally, FinCEN had tested the performance of\n               BSA IT Mod projects completed as of our review, and\n               resolved a number of significant issues that had been\n               identified. We also reported that Treasury OCIO\xe2\x80\x99s monitoring\n               of the program continued, primarily through review of\n               FinCEN-prepared documentation of program progress. We\n               did note, however, that FinCEN\xe2\x80\x99s Project Management Office\n               (PMO) discontinued its previous practice of providing\n               assessments of the program, instead focusing on providing\n               technical assistance for BSA IT Mod\xe2\x80\x99s configuration\n               management. At the time, we concluded that there was no\n               adverse impact from this change in focus. We did, however,\n               caution in our report that risks remained to the BSA IT Mod,\n               including the interdependency between the component\n               projects. This risk, among others, continues.\n\n\nResults in Brief\n               As of December 2012, we found that BSA IT Mod program\n               was proceeding mostly on schedule and within budgeted\n               cost. Program development met all major milestones\n               including those for updating the SOR and the release of\n               FinCEN Query, but the planned completion dates for certain\n               projects were extended when project staffing resources were\n               re-allocated to resolve data quality issues. Additionally,\n               although the program as a whole was within budget, the\n               costs for some discrete projects exceeded initial budgeted\n               amounts.\n\n               FinCEN tested the performance of BSA IT Mod projects\n               completed as of our review, and resolved significant issues\n               identified during testing. However, during the audit, FinCEN\n               users began experiencing performance issues with the\n               FinCEN Query tool, including searches yielding incomplete\n               data. FinCEN attributed this problem to the search engine\n               software and was working to resolve it at the completion of\n\n\n\n\n               FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with      Page 3\n               Schedule Extensions (OIG-13-036)\n\x0c                      our fieldwork. 4 We will follow-up on this issue during our\n                      next 6-month assessment.\n\n                      While FinCEN met all major milestones, risks remain to the\n                      program. One risk is the interdependency between the\n                      component projects. Future enhancements and modifications\n                      made to one component could affect others. Another risk\n                      concerns differences among users\xe2\x80\x99 needs and how FinCEN\n                      must consider, prioritize, and accommodate those needs.\n                      Some users also reported that BSA IT Mod features are\n                      challenging (difficult to use). We will continue in our future\n                      audits to assess FinCEN\xe2\x80\x99s efforts in meeting these BSA IT\n                      Mod challenges.\n\n                      With respect to FinCEN\xe2\x80\x99s oversight of BSA IT Mod, program\n                      management officials continued to provide technical\n                      assistance on BSA IT Mod configuration management as this\n                      was considered more important to the program\xe2\x80\x99s success\n                      than was conducting independent assessments. We found\n                      Treasury OCIO\xe2\x80\x99s monitoring of the program continued to be\n                      primarily focused on reviews of FinCEN-prepared program\n                      documentation. Given the overall positive track record by\n                      FinCEN to date in managing the BSA IT Mod development\n                      effort, we consider Treasury OCIO\xe2\x80\x99s monitoring appropriate.\n\n                      This audit, our third in a series, did not identify the need to\n                      make any new recommendations to FinCEN.\n\n                      For this report, we requested and received management\n                      response from FinCEN\xe2\x80\x99s Director and Treasury\xe2\x80\x99s Chief\n                      Information Officer. In her response, FinCEN\xe2\x80\x99s Director\n                      observed that the risks identified in our report are inherent in\n                      major IT investment efforts and that FinCEN would continue\n                      to employ rigorous program management, and engage and\n                      collaborate with stakeholders. Additionally, she noted that\n                      the performance issue experienced with FinCEN Query\n                      during our audit had been resolved. Treasury\xe2\x80\x99s Chief\n                      Information Officer provided a response of no comment on\n\n4\n FinCEN Query is the new search application that allows users to query BSA data broadly\nacross many fields.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with           Page 4\n                      Schedule Extensions (OIG-13-036)\n\x0c                          the report. Both management responses can be found in\n                          appendix 4.\n\nFinding 1                 Major Milestones for BSA IT Mod Continued to Be\n                          Met and the Program Was Within Budgeted Costs\n\n                          As of December 2012, we found that BSA IT Mod program\n                          was proceeding mostly on schedule and within budgeted\n                          costs. Program development met all major milestones\n                          including those for updating the SOR and the release of\n                          FinCEN Query, but the planned completion dates for certain\n                          projects were extended when project staffing resources were\n                          re-allocated to resolve data quality issues. Additionally,\n                          although the program as a whole is within budget, the costs\n                          for some projects exceeded initial budgeted amounts.\n\n                          Figure 1 provides a timeline of significant events in the BSA\n                          IT Mod program.\n\nFigure 1. Timeline of Significant Events in FinCEN\xe2\x80\x99s BSA System Modernization Efforts\n\n                      January 2007 \xe2\x80\x93\n                     December 2009                                             January 2012               April 2014\n   July 2006       FinCEN developed IT                May 2010           FinCEN transitioned the           Planned\n     FinCEN        governance process,                Design and          collection, processing,           system\n   terminated      stakeholders\xe2\x80\x99 needs,              development         and storage of all BSA          development\n  BSA Direct*       and business case                phase started             data from IRS              completion\n\n\n2006        2007           2008       2009           2010         2011          2012          2013         2014\n\n\n     November 2006                 January 2009             June 2011         November 2012            April 2013\n  FinCEN established IT                Program                FinCEN              FinCEN             Planned release\n  modernization, vision             initiation and           realigned         completed roll             of last\n   and strategy and set            planning phase            costs and         out of FinCEN         scheduled BSA\n      modernization                of BSA IT Mod              adjusts         Query to 7,500             IT Mod\n        foundation                      started              schedule              users               component\n\n\nSource: OIG review of FinCEN data.\n*FinCEN terminated BSA Direct Retrieval and Sharing (BSA Direct) after concluding the project had no\nguarantee of success. We reviewed that failure and found that FinCEN poorly managed the predecessor\nproject, insufficiently defined functional and user requirements, misjudged project complexity, and\nestablished an unrealistic completion date. We also found that the Treasury OCIO did not actively oversee\nthe project, as required by the Clinger-Cohen Act of 1996. Treasury Office of Inspector General (OIG),\nThe Failed and Costly BSA Direct R&S System Development Effort Provides Important Lessons for\nFinCEN\xe2\x80\x99s BSA Modernization Program (OIG-11-057: Jan. 5, 2011).\n\n\n                          FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                            Page 5\n                          Schedule Extensions (OIG-13-036)\n\x0c                    Project Dates Were Extended to Address Data Quality Issues\n\n                    As of December 31, 2012, FinCEN met all major milestones,\n                    but the planned completion dates for certain projects were\n                    extended. FinCEN program management officials told us that\n                    FinCEN and its contractor, Deloitte, reallocated project\n                    staffing resources to resolve data quality issues in the SOR\n                    to support the deployment of FinCEN Query. Table 1\n                    displays the status of BSA IT Mod by project. Appendix 3\n                    provides descriptions for the various projects.\n\nTable 1: BSA IT Mod Project Schedule Status as of December 31, 2012\n                                                                      Actual or\n                                                                      Planned\n                              Planned             Revised Planned     Completion   Project\n                              Completion          Completion          Date at      Status at\n                              Date at May         Date at June        December     December\nProject                       20101               20112               20123        2012\nSOR\n      Release 1               9/30/2011           12/1/2011           12/15/2011   Complete\n      Release 2               6/30/2012           7/1/2012            10/16/2012   Complete\nShared Filing Services\n      Release 1               9/30/2011           12/1/2011           12/15/2011   Complete\n      Release 2               6/30/2012           7/1/2012            10/16/2012   Complete\nThird Party Data\n      Release 1               9/30/2011           12/1/2011           12/15/2011   Complete\n      Release 2               6/30/2012           7/1/2012            10/16/2012   Complete\nData Conversion               12/31/2011          1/1/2012            1/6/2012     Complete\nE-Filing\n      Release 1               6/30/2011           7/1/2011            7/1/2011     Complete\n      Release 2               10/31/2011          7/1/2012            7/31/2012    Complete\nFinCEN Query7\n      Release 1               2/28/2012           6/1/2012            7/20/2012    Complete\n      Release 2               9/30/2012           10/1/2012           11/16/2012   Complete\nAdvanced Analytics\n      Release 1               10/31/2010          10/31/2010          10/31/2010   Complete\n      Release 2               4/30/2011           4/30/2011           4/30/2011    Complete\n      Release 3               7/31/2012           9/1/2012            8/1/2012     Complete\n      SCIF4                   n/a                 12/1/2012           11/9/2012    Complete\nRegister User Portal          3/31/2011           3/31/2011           3/31/2011    Complete\nIdentity/Access\nControl Management            3/31/2011           3/31/2011           3/31/2011    Complete\nBroker Information Exchange\n     314A,B Release 1         5/31/2011          5/31/2011           5/31/2011     Complete\n     314A,B Release 2         12/31/2012         4/1/2013            4/1/20136     Ongoing\nAlerts                        9/30/2012          1/1/2013            1/1/20136     Ongoing\n\n\n\n                    FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with              Page 6\n                    Schedule Extensions (OIG-13-036)\n\x0c    Table 1: BSA IT Mod Project Schedule Status as of December 31, 2012\n                                                                                Actual or\n                                                                                Planned\n                                      Planned              Revised Planned      Completion         Project\n                                      Completion           Completion           Date at            Status at\n                                      Date at May          Date at June         December           December\n    Project                           20101                20112                20123              2012\n    Bulk Data Dissemination\n         Release 1                    9/30/2011            3/1/2012             4/17/2012          Complete\n         Release 2                    6/30/2012            7/1/2012             10/16/2012         Complete\n    Infrastructure & Portal\n    Security Develop and Test         9/30/2010            9/30/2010            9/30/2010          Complete\n         Release 1                    3/31/2011            3/31/2011            3/31/2011          Complete\n         Release 2                    9/30/2011            9/30/2011            9/30/2011          Complete\n         Release 3                    6/30/2012            n/a5                 n/a5               n/a5\n    Source: OIG analysis of FinCEN documentation.\n    1\n      The dates displayed were the initial planned completion dates when in May 2010, FinCEN began the design\n    and development of projects after receiving Office of Management and Budget approval.\n    2\n      FinCEN submitted a baseline change request (BCR) to the Treasury CIO to adjust selected project milestone\n    schedule dates and realign costs to keep the overall program on track. The baseline change was implemented\n    in June 2011. See appendix 3 for additional information regarding the BCR.\n    3\n       Dates represent the actual completion dates if the project was completed, or the planned completion date\n    as of the cutoff date of our review (December 31, 2012).\n    4\n       A sensitive compartmented information facility (SCIF) has formal access controls and is used to hold\n    information concerning or derived from intelligence sources, methods, or analytical processes. FinCEN plans\n    to provide its SCIF with advanced analytics capability, which was not part of the May 2010 initial plan but\n     was part of the June 2011 BCR.\n    5\n       Not applicable - The work planned for Infrastructure release 3 was removed from the project and will be\n    done as part of BSA IT Mod\xe2\x80\x99s on-going operations and maintenance.\n    6\n       We plan to determine the status and report on the milestone in our next semiannual report pursuant to\n    H. Rept. 112-331.\n    7\n      As discussed in Finding 2, FinCEN users began experiencing performance issues with release 2 of FinCEN\n    Query, including searches yielding incomplete data. FinCEN attributed this problem to the search engine\n    software.\n\n\n                           Since becoming the authoritative source for BSA data in\n                           January 2012, FinCEN continued to identify and resolve data\n                           quality issues involving the SOR as additional features were\n                           added to BSA IT Mod, such as address validation, the\n                           release of new BSA forms, and FinCEN Query. 5\n\n\n5\n  As part of its BSA IT Mod effort, FinCEN consolidated each of the various financial institution\ncurrency transaction reports and suspicious activity reports into a single set of forms, and\nincreased the data captured on the forms. These new forms along with forms for the\nregistration of money services business and designation of exempted person were released in\nMarch 2012. Electronic filing of the new currency transaction report and suspicious activity\nreport forms through FinCEN\xe2\x80\x99s BSA E-Filing web portal is mandated by April 1, 2013.\n\n\n                           FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                         Page 7\n                           Schedule Extensions (OIG-13-036)\n\x0c                      FinCEN Query releases 1 and 2 were completed 7 weeks\n                      beyond their planned completion dates. FinCEN\xe2\x80\x99s BSA IT\n                      Mod program management officials told us that the schedule\n                      delay for release 1 resulted from changes made to the SOR\n                      that, in turn, required programing changes to FinCEN Query.\n                      The delays to FinCEN Query release 1 resulted in an increase\n                      of approximately $460,000, or 6 percent, over budgeted\n                      costs. The increase is primarily attributed to the need for\n                      additional performance testing. FinCEN Query release 2 was\n                      delayed because of the time needed to incorporate a law\n                      enforcement requested enhancement to simplify the search\n                      tool. This project enhancement was a change in scope from\n                      the original plan and may result in an increase to the final\n                      program cost.\n\n                      The dates for release 2 of the SOR, Third-Party Data, Shared\n                      Filing Services, and Bulk Data Dissemination were also\n                      extended by 15 weeks beyond their planned completion\n                      dates and costs increased approximately $350,000, or 17\n                      percent, over that which were budgeted.\n\n                      E-Filing release 2 was completed 4 weeks beyond its\n                      planned completion date because of the delay in awarding\n                      the contract and the need to relocate contractor staff to\n                      FinCEN. 6\n\n                      BSA IT Mod\xe2\x80\x99s next major and final milestone is the\n                      completion of the Broker Information Exchange project,\n                      which includes the Financial Intelligence Repository. Initially\n                      scheduled to be completed by April 2013, FinCEN program\n                      management officials told us in March 2013 that they had\n                      submitted a BCR to break Broker Information Exchange,\n                      Release 2, into two separate releases \xe2\x80\x93 the first planned for\n                      August 2013 and the second planned for April 2014.\n\n\n\n\n6\n The majority of the contract services work is being performed by Deloitte. Northrop Grumman\nwas contracted for E-Filing.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                Page 8\n                      Schedule Extensions (OIG-13-036)\n\x0cBSA IT Mod Remained Within Budgeted Costs\n\nAs of December 31, 2012, FinCEN reported that it had spent\napproximately $83 million developing BSA IT Mod from its\noverall $120 million, 4-year plan. Not included in this amount\nwas approximately $11.2 million in program planning costs,\nwhich we addressed in our March 2012 report. In that\nregard, FinCEN\xe2\x80\x99s actual program costs incurred through\nDecember 2012 were approximately $94.2 million. A\nbreakdown by category of the actual costs incurred is\nprovided in Table 2 below.\n\n Table 2: BSA IT Mod Costs as of December 31, 2012 (in millions)\n Category                                                        Amount\n Initial Planning                                                 $11.2\n Development\n     Hardware and Software                                          10.3\n     Contractor Services                                            40.6\n     Other1                                                         13.2\n     Operations and Maintenance2                                    13.7\n FinCEN staffing costs3                                              5.2\n    Total                                                          $94.2\n Source: OIG analysis of FinCEN data.\n 1\n   Other costs are comprised of (1) program management and program\n engineering performed by Deloitte and MITRE, (2) a contract office fee of\n 4 percent for the Department of the Interior\xe2\x80\x99s National Business Center\n Acquisition Services Directorate for support of the BSA IT Modernization\n Program, and (3) a management reserve for potential additional work to\n be performed within the authorized work scope of the contract or to\n accommodate rate changes for future work.\n 2\n   Operations and Maintenance costs are comprised of hosting costs by\n the Treasury\xe2\x80\x99s Bureau of the Public Debt, hardware and software\n maintenance support, network support, application support, and the\n application help desk costs. Effective October 2012, the Bureau of Public\n Debt and Treasury\xe2\x80\x99s Financial Management Service were reorganized as\n the Bureau of Fiscal Service.\n 3\n   Staffing costs are estimated based on FinCEN\xe2\x80\x99s Exhibit 300\n submissions to OMB. FinCEN does not track the staffing costs associated\n with BSA IT Mod.\n\n\nFinCEN funded BSA IT Mod through $119.9 million received\nfrom its annual congressional appropriations and\nsupplemental funding from the Treasury Forfeiture Fund\nadministered by the Treasury Executive Office of Asset\nForfeiture (TEOAF). TEOAF provided funding for the BSA IT\nMod Program consistent with its authority to provide funds\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                    Page 9\nSchedule Extensions (OIG-13-036)\n\x0c                      for law enforcement-related expenditures. 7 Table 3 below\n                      identifies the program\xe2\x80\x99s funding sources by year.\n\n                       Table 3: BSA IT Mod Funding Sources as of December 31, 2012\n                       (in millions)\n                                                                       Treasury\n                                         Congressional                Forfeiture\n                       Fiscal Year       Appropriation                     Fund            Total\n                       2009                      $2.5                     $3.7             $6.2\n                       2010                      18.5                     11.7             30.2\n                       2011                      18.5                     11.5             30.0\n                       2012                      23.5                       6.5            30.0\n                       20131                     23.5                       0.0            23.5\n                         Total                  $86.5                    $33.4           $119.9\n                       Source: OIG analysis of FinCEN and TEOAF documentation.\n                       1\n                         The federal government is operating under a continuing appropriation\n                       resolution (Pub. L. No. 112-175) through March 2013 at a .6 percent\n                       increase over fiscal year 2012 levels.\n\n\n\n\n7\n  The Treasury Forfeiture Fund, which is the receipt account for the deposit of non-tax\nforfeitures made as a result of law enforcement actions by participating Treasury and\nDepartment of Homeland Security agencies. The Treasury Forfeiture Fund is established under\n31 U.S.C. \xc2\xa7 9703. The Fund can provide money to other federal entities to accomplish specific\nobjectives for which the recipient entities are authorized to spend money and toward other\nauthorized expenses. Distributions from this Fund in excess of $500,000 cannot be used until\nthe Appropriations Committees from both houses of Congress are notified. TEOAF submits its\nplanned release of funds to Congress annually. Those submissions through fiscal year 2012\nincluded the funding provided for the BSA IT Mod program.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                    Page 10\n                      Schedule Extensions (OIG-13-036)\n\x0cFinding 2              BSA IT Mod Project Performance Testing Was\n                       Mostly Successful\n\n                       FinCEN tested the performance of BSA IT Mod projects\n                       completed during the current audit period using government\n                       acceptance testing (GAT) 8 and resolved all significant issues\n                       that were identified through that testing. FinCEN has\n                       experienced some performance issues with FinCEN Query\n                       after its deployment.\n\n                       Table 4 below identifies testing conducted during our audit\n                       period.\n\n    Table 4: BSA IT Mod Project Testing Status as of January 17, 2013\n                                              Completion         Total        Closed        Open\n    Project                                   Date of Testing    Defects1     Defects       Defects\n    System of Record/\n    Shared Filing Services/\n    Third Party Data\n           Release 1                          12/14/2011         862          862           0\n           Release 22                         10/12/2012         220          219           1\n    Data Conversion                           12/14/2011         544          544           0\n    E-Filing\n           Release 1                          6/7/2011           7            7             0\n           Release 2                          7/27/2012          466          414           52\n    FinCEN Query\n           Release 1                          6/13/2012          922          870           52\n           Release 2                          11/15/2012         36           28            8\n    Advanced Analytics\n           Release 1                          10/18/2010         70           70            03\n           Release 2                          4/14/2011          50           50            03\n           Release 3                          7/12/2012          42           34            8\n           SCIF                               9/7/2012           18           12            6\n    Register User Portal, Identity/Access\n    Control Management                        3/22/2011          33           33            04\n    Broker Information Exchange\n           314A Release 1                     5/26/2011          23           23            0\n           314A&B Release 2                   Not Started        N/A          N/A           N/A\n\n\n8\n  GAT is the government\xe2\x80\x99s opportunity to validate that the current release\xe2\x80\x99s requirements were\nmet. This includes testing functionality, system usability, permissions and security, compatibility\ntesting, and traceability to business requirements through test script execution, demonstrations\nand inspections. Performance and response time are also observed.\n\n\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                      Page 11\n                       Schedule Extensions (OIG-13-036)\n\x0cTable 4: BSA IT Mod Project Testing Status as of January 17, 2013\n                                              Completion           Total         Closed          Open\nProject                                       Date of Testing      Defects1      Defects         Defects\nAlerts\n       Release 1                              11/20/2012           8             6               2\nBulk Data Dissemination\n       Release 1                              N/A5                 N/A           N/A             N/A\n       Release 2                              9/28/2012            417           417             0\nSource: OIG analysis of FinCEN data.\n1\n  A defect is defined as a test result that does not match the expected result. Defects are also referred to as\nissues, problems, or incidents.\n2\n  Third-Party Data release 2 GAT was completed on September 28, 2012.\n3\n  According to FinCEN\xe2\x80\x99s Chief Technology Officer, open defects under Advanced Analytics releases 1 and\nrelease 2 were closed when the releases were replaced with the release 3.\n4\n  FinCEN deployed the Register User Portal, Identity/Access Control Management without addressing the 9\nremaining defects, which it closed. According to FinCEN officials, it plans to address the defects during the\noperations and maintenance phase.\n5\n  Bulk Dissemination release 1 did not undergo GAT. FinCEN provided users with a sample of bulk data files\nto test and validate.\n\n\n\n                    Since our September 2012 report, the number of defects\n                    increased for release 1 of the SOR, Shared Filing Services,\n                    and Third-Party Data. The increase in defects was due to\n                    FinCEN identifying data quality issues as additional features\n                    were added to BSA IT Mod, such as address validation, the\n                    release of new BSA forms, and FinCEN Query. The number\n                    of FinCEN Query release 1 defects increased in part because\n                    of a law enforcement requested enhancement to simplify the\n                    FinCEN Query search process.\n\n                    Similar to what we were told in our prior audit, FinCEN\n                    program management officials stated that issues identified\n                    during testing considered severe enough to adversely impact\n                    BSA IT Mod were resolved prior to projects being deployed.\n                    FinCEN and MITRE considered all remaining open defects to\n                    be low severity, meaning that the defects would not\n                    significantly impair program performance or functionality. As\n                    BSA IT Mod is transitioned from the project development\n                    phase to the deployment phase, FinCEN plans to prioritize\n                    open defects and address them as program enhancements in\n                    the operations and maintenance phase. So far, FinCEN has\n                    used approximately $4 million from its operations and\n                    maintenance budget to resolve defects and requests for\n                    changes in the support of deployed projects.\n\n                    FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                            Page 12\n                    Schedule Extensions (OIG-13-036)\n\x0cFinCEN Query Issues Remain\n\nFinCEN program management officials and representatives\nfrom MITRE, IRS, and Deloitte told us that BSA IT Mod was\nperforming well and meeting the needs of the users. In this\nregard, FinCEN and MITRE said there were some data quality\nissues, but that the types of issues experienced were issues\nnormally encountered when developing a major IT program\nsuch as BSA IT Mod. FinCEN was working to resolve the\nissues with the users.\n\nFinCEN Query was released to FinCEN internal users in July\n2012 and to other federal and state users from September\nthrough November 2012. By the end of December 2012,\napproximately 7,500 users had access to FinCEN Query, and\nof those, approximately 4,500 users had actually accessed\nit. The average query response time was about 1 second.\n\nDuring this audit, our third one of the series, FinCEN Query\nwas experiencing continued service interruptions\xe2\x80\x94in other\nwords, it was periodically \xe2\x80\x9ccrashing.\xe2\x80\x9d To resolve this,\nFinCEN program management officials told us that, among\nother things, they updated the software, added hardware\ncapacity, and continued to work with the software vendor.\nTo improve performance, FinCEN increased the number of\nFinCEN Query servers and made multiple software upgrades.\nWhile we found that FinCEN was actively working this issue,\nwe will continue to monitor the performance of FinCEN\nQuery in our future audits of BSA IT Mod.\n\nRisks to BSA IT Mod\xe2\x80\x99s Successful Completion Remain\n\nSimilar to what we reported in our September 2012 report, a\ncontinued risk was the program\xe2\x80\x99s high-level of dependency\nbetween its component projects. Programming changes to\none project, such as the SOR, required programming\nchanges to other projects. This risk will continue as the\nremaining BSA IT Mod projects are released and\nenhancements are made during the program\xe2\x80\x99s operations and\nmaintenance phase.\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with      Page 13\nSchedule Extensions (OIG-13-036)\n\x0c                      Another risk concerns how users have different needs that\n                      FinCEN must consider, prioritize, and accommodate. For\n                      example, FinCEN addressed a law enforcement requested\n                      enhancement to simplify the FinCEN Query search process.\n                      In addition, FinCEN told us that some users found BSA IT\n                      Mod features challenging to use, such as the Advanced\n                      Analytics tool. To address this, FinCEN has provided users\n                      with support and training. FinCEN will need to continue this\n                      support going forward. We will continue to monitor this area.\n\n                      We also note that FinCEN has proposed a reorganization. To\n                      that end, it has briefed its Congressional oversight\n                      committees as well as our office about its reorganization\n                      plan. As the reorganization plan evolves, we will assess its\n                      impact to the BSA IT Mod program in our future work.\n\nFinding 3             Oversight of BSA IT Mod Continued\n\n                      In our September 2012 report, we reported that FinCEN\n                      maintained oversight of BSA IT Mod, and that Treasury\n                      OCIO\xe2\x80\x99s oversight was primarily accomplished through a\n                      review of FinCEN-prepared program documentation. We also\n                      found that FinCEN\xe2\x80\x99s PMO reduced its independent oversight;\n                      however, we concluded this change had no adverse impact\n                      on the program. The level of oversight noted in our last\n                      report continued during the period covered by this audit.\n\n                      FinCEN Oversight\n\n                      Deloitte provided FinCEN, as it had done in the past, with\n                      monthly BSA IT Mod program management reviews focused\n                      on the program status using earned value management\n                      (EVM) and provided a forum for discussing the risks and risk\n                      mitigation plans. 9 Our review of these reports and other\n\n\n9\n  EVM measures the value of work accomplished in a given period. Differences in these values\nare measured in both cost and schedule variances. Explanations must be provided for variances\nof 10 percent and are subject to corrective action plans, baseline change requests, or\ntermination. The use of EVM satisfies Office of Management and Budget requirements on\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                 Page 14\n                      Schedule Extensions (OIG-13-036)\n\x0c                       program-related documentation revealed that BSA IT Mod\n                       met milestones and was within budgeted costs. The\n                       documentation also showed and explained why certain\n                       projects had exceeded planned schedule and budget noting\n                       instances where project staffing resources were re-allocated\n                       to resolve data quality issues. MITRE officials also stated\n                       that to date FinCEN managed the program in an acceptable\n                       manner and that they had no significant concerns. Deloitte\n                       and MITRE officials agreed that overall the program met\n                       milestones and stayed within budgeted costs.\n\n                       We reported in our September 2012 report that FinCEN\xe2\x80\x99s\n                       PMO changed its oversight by no longer conducting formal\n                       assessments of BSA IT Mod, but was instead providing\n                       technical assistance on BSA IT Mod configuration\n                       management because that assistance was considered to be\n                       a better use of PMO resources. During this audit, FinCEN\n                       program management officials told us that the PMO\n                       continued to support the configuration management process.\n                       We did not identify any negative impact as a result of the\n                       PMO\xe2\x80\x99s continued change of focus.\n\n                       Treasury OCIO Oversight\n\n                       In our September 2012 report, we reported that Treasury\n                       OCIO officials told us that the office reviewed program\n                       documentation, including performance plans, cost\n                       submissions, and schedule and performance reporting and\n                       that the officials characterized the reviews as being at the\n                       \xe2\x80\x9cmacro-level.\xe2\x80\x9d We also reported that the BSA IT Mod\n                       Modernization Executive Group and Executive Steering\n                       Committee meetings, of which the Treasury CIO is a\n                       member, were done through e-mails when a major decision\n                       or approval was sought. Looking forward, the Treasury OCIO\n                       was working to strengthen the analytical skills of its desk\n                       officers. The office also planned to increase the level of\n                       interaction with bureau CIOs by instituting quarterly\n\n\nprograms classified as major acquisitions as well IT projects. FinCEN contracted with MITRE to\nprovide an independent validation to ensure the accuracy of EVM data.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                 Page 15\n                       Schedule Extensions (OIG-13-036)\n\x0c                      investment status meetings rather than annual investment\n                      reviews.\n\n                      During this audit, we found no change in the level of\n                      Treasury OCIO\xe2\x80\x99s oversight. Treasury OCIO officials told us\n                      that they instituted quarterly investment status meetings,\n                      but had not yet conducted one for BSA IT Mod. Treasury\n                      OCIO, however, continued to monitor FinCEN monthly data\n                      submissions to identify potential issues.\n\n                      As we reported in our previous audits of BSA IT Mod, the\n                      Treasury CIO is a member of both the BSA IT Mod\n                      Modernization Executive Group and Executive Steering\n                      Committee, which meets on a quarterly basis or when a\n                      major decision or approval is sought. During this audit, the\n                      BSA IT Mod Modernization Executive Group and the\n                      Executive Steering Committee met in September 2012 to\n                      discuss the planned release of FinCEN Query to BSA data\n                      users and IRS\xe2\x80\x99s discontinuation of Web-based Currency and\n                      Banking Retrieval System (WebCBRS) access to non-IRS\n                      users by December 2012. 10 Additional communication\n                      among Executive Steering Committee members took place\n                      through email correspondence in December 2012. The\n                      correspondence discussed how IRS would continue to\n                      provide the U.S. Customs and Border Protection with access\n                      to WebCBRS and bulk BSA data until April 2013\xe2\x80\x94when a\n                      planned agency IT system upgrade was to be completed to\n                      allow bulk data to be received.\n\n                      Similar to what we reported in September 2012, Treasury\n                      OCIO officials told us that the program was performing well\n                      and they were satisfied with the level and quality of BSA IT\n                      Mod program data provided by FinCEN. They also told us\n                      that FinCEN\xe2\x80\x99s communication with the Treasury OCIO was\n                      good and characterized FinCEN program management\n                      officials as competent.\n\n\n\n10\n  WebCBRS is IRS\xe2\x80\x99s data warehouse and information retrieval system that had been used to\ncollect and store BSA data until FinCEN assumed this role in January 2012.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with            Page 16\n                      Schedule Extensions (OIG-13-036)\n\x0cIn summary, we believe that the oversight by FinCEN\nmanagement and Treasury OCIO during this audit period was\nappropriate given the overall positive track record by FinCEN\nto date in managing its BSA IT Mod development effort.\nThat being said, we plan to continue to review program\noversight exercised in our future audits of the program.\n\n                                 ******\n\nWe appreciate the cooperation and courtesies extended to\nour staff during the audit. If you wish to discuss the report,\nyou may contact me at (617) 223-8640 or Mark Ossinger,\nAudit Manager, at (617) 223-8643. Major contributors to\nthis report are listed in appendix 5.\n\n/s/\nSharon Torosian\nAudit Director\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with        Page 17\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nThis is the third in a series of audits of the Financial Crimes\nEnforcement Network's (FinCEN) Bank Secrecy Act (BSA)\nInformation Technology Modernization Program (BSA IT Mod). Our\nobjective was to determine if FinCEN is (1) meeting cost, schedule,\nand performance benchmarks for this program and (2) providing\nappropriate oversight of contractors. Additionally, we assessed\nTreasury OCIO (OCIO) oversight of the program. For the third audit,\nwe determined the status of the program\xe2\x80\x99s cost, schedule, and\nperformance through December 31, 2012.\n\nTo accomplish our objective, we interviewed a variety of officials,\nincluding FinCEN program officials, Department of the Treasury\nOCIO officials, an official from the Internal Revenue Service (IRS)\ninvolved with the program, and officials with FinCEN\xe2\x80\x99s contractors.\nWe also reviewed applicable program documentation and testing\nprocedures. We performed our fieldwork from October 2012\nthrough February 2013.\n\nAt FinCEN, officials we interviewed included the following:\n\n\xe2\x80\xa2   The Chief Information Officer (CIO) and the BSA IT Mod\n    program manager to obtain an update on BSA IT Mod, a\n    perspective on each individual\xe2\x80\x99s knowledge and level of\n    involvement, cost and schedule concerns, and overall progress\n    of the program.\n\n\xe2\x80\xa2   The Chief Technology Officer to obtain his perspective, level of\n    involvement, schedule and performance concerns, and overall\n    progress of the program. Additionally, we obtained his\n    perspective on the project testing conducted and defect\n    resolution strategies employed.\n\n\xe2\x80\xa2   The Deputy Chief Financial Officer for an update of the cost and\n    funding for BSA IT Mod.\n\n\xe2\x80\xa2   The Assistant Director and the lead assessor for FinCEN\xe2\x80\x99s\n    Project Management Office to discuss their assessments of the\n    program.\n\n\xe2\x80\xa2   The project managers, project leaders, and contracting officer\n    technical representatives responsible for each BSA IT Mod\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with      Page 18\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\n    project to obtain an understanding of their perspective, level of\n    involvement, schedule and performance concerns, and overall\n    progress of their respective projects.\n\nExternal to FinCEN, we interviewed the following officials:\n\n\xe2\x80\xa2   Deloitte LLP\xe2\x80\x99s managing director and Deloitte\xe2\x80\x99s program\n    manager and Analyst for Earned Value Management (EVM) for\n    BSA IT Mod to obtain an update on their perspective of BSA IT\n    Mod and ascertain the program\xe2\x80\x99s status. These interviews were\n    conducted at the contractor\xe2\x80\x99s office in Rosslyn, Virginia.\n\n\xe2\x80\xa2   MITRE representatives in McLean, Virginia, to obtain an update\n    of MITRE\xe2\x80\x99s role as the federally funded research and\n    development contractor, its level of involvement with the\n    program, as well as issues, concerns, and other significant\n    matters observed. These interviews were conducted at a MITRE\n    office in McLean, Virginia.\n\n\xe2\x80\xa2   The Treasury CIO, the Treasury OCIO Associate Director of\n    Information Technology Capital Planning, and the Treasury\n    OCIO desk officer assigned to the BSA IT Mod program for an\n    update on their roles in overseeing BSA IT Mod, as well as\n    issues, any concerns, and other significant matters.\n\n\xe2\x80\xa2   IRS\xe2\x80\x99s Associate CIO, Applications Development Group, to obtain\n    an update of her role with BSA IT Mod, coordination between\n    IRS and FinCEN, and any concerns regarding the program or\n    BSA IT Mod system functionality.\n\nWe reviewed FinCEN program-related information, including\nmanagement reports, minutes from executive, management, and\ntechnical meetings; planning documentation; program and project\nlevel documentation; and FINCEN presentations to, for example,\nCongress, the Office of Management and Budget, Treasury OCIO,\nthe BSA IT Mod Modernization Executive Group and the Executive\nSteering Committee, and FinCEN management.\n\nWe reviewed program management briefings and status reports,\ninternal and external program performance assessment reports, and\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with       Page 19\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 1\nObjectives, Scope, and Methodology\n\n\n\n\nrelated documentation to assess program performance status,\nrisks, and issues.\n\nWe interviewed FinCEN and MITRE representatives involved with\nBSA IT Mod government acceptance testing and reviewed\ntesting-related documentation, including testing plans and status\nreports. We reviewed certain testing defects and issues identified\nduring testing, and their resolutions, that were recorded in\nFinCEN\xe2\x80\x99s project management and issues tracking system.\n\nWe conducted this performance audit in accordance with generally\naccepted government auditing standards. Those standards require\nthat we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and\nconclusions based on our audit objectives.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with     Page 20\nSchedule Extensions (OIG-13-036)\n\x0c                       Appendix 2\n                       Corrective Actions to Prior Audit Recommendations\n\n\n\n\n                       The status of the two audit recommendations in our prior report on\n                       the Bank Secrecy Act (BSA) Information Technology Modernization\n                       Program are presented in Table 5 below. Both recommendations\n                       are closed. We do not plan to report on the status of these\n                       recommendations in our future audits of the program.\n\nTable 5: Corrective Actions on Prior Audit Recommendations\nRecommendation                      FinCEN Corrective Actions\nIn conjunction with IRS, ensure     The Financial Crimes Enforcement Network (FinCEN), in the short\nin the short term that IRS\xe2\x80\x99s        term, was to provide Bank Secrecy Act (BSA) data to the Internal\nWebCBRS data needs are met          Revenue Service\xe2\x80\x99s (IRS) Web-based Currency and Banking\nand; in the long term, assist IRS   Retrieval System (WebCBRS) via the current E-Filing system and\nto ensure data requirements are     formats. In support of the longer-term goal, FinCEN was asked to\nincorporated into IRS\xe2\x80\x99s             participate on the IRS\xe2\x80\x99s Integrated Project Team to define the IRS\nmodernization efforts.              BSA data end-state solution. FinCEN\xe2\x80\x99s involvement on the team\n                                    included providing the technical specifications for bulk data\n                                    distribution, answering questions related to new BSA data\n                                    structures, and providing support as requested.\n\n                                    FinCEN closed the short term action on March 28, 2012. In this\n                                    regard, the BSA Information Technology (IT) Modernization\n                                    Executive Group consisting of the FinCEN Director, Treasury Chief\n                                    Information Officer, and IRS Deputy Commissioner for Operations\n                                    and Maintenance, approved the mapping back of new Suspicious\n                                    Activity Report (SAR) and Currency Transaction Report (CTR) data\n                                    from FinCEN\xe2\x80\x99s E-Filing system to WebCBRS in the legacy format.\n                                    Subsequently, on March 29, 2012, FinCEN released the new SAR\n                                    and CTR reports to filing institutions for submission. We confirmed\n                                    during our second audit that FinCEN was able to provide BSA data\n                                    from its E-Filing system in the same format IRS used. The long\n                                    term action is considered closed by FinCEN with its ongoing\n                                    participation on IRS's Integrated Project Team.\nEnsure that, for future major       FinCEN responded to the audit recommendation that it did\ncapital investments, required       not have a future major capital investment planned.\nsubmissions to OMB include full     However, when such a time comes, FinCEN will ensure\nlife-cycle cost estimates in        that required submissions to Office of Management and\naccordance with OMB Circular        Budget (OMB) comply with OMB\xe2\x80\x99s Circular A-11 and that\nA\xe2\x80\x9311, Preparation, Submission and   required documentation supporting costs estimates are\nExecution of the Budget, and that   maintained. FinCEN closed the action on April 10, 2012.\nthorough documentation\nsupporting estimates is             FinCEN's commitment to ensure future compliance and\nmaintained.                         maintain supporting documentation met the intent of the\n                                    audit recommendation.\nSource: Treasury Office of Inspector General (OIG), FinCEN\xe2\x80\x99s BSA IT Modernization Program Is on\nSchedule and Within Cost But Requires Continued Attention to Ensure Successful Completion (OIG-12-\n047; Mar. 26, 2012). OIG obtained the status of the recommendations through Treasury\xe2\x80\x99s Joint Audit\nManagement Enterprise System (JAMES), and selectively confirmed the actions taken by FinCEN as\nreported in JAMES.\n\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                     Page 21\n                       Schedule Extensions (OIG-13-036)\n\x0cAppendix 3\nAdditional Background Information on BSA IT Mod\n\n\nProjects Included in the BSA IT Mod Program\n\nThe BSA IT Mod program is made up of multiple projects with\nspecific components. The projects are summarized below. All\nprojects were completed as of December 2012 unless otherwise\nindicated below.\n\n\xe2\x80\xa2   System of Record (SOR) provides data storage and architecture\n    for BSA data for 11 years of BSA data.\n\n\xe2\x80\xa2   Shared Filing Services provides for validation of BSA data with\n    external data sources, such as validation of addresses to U.S.\n    Postal Service data.\n\n\xe2\x80\xa2   Third Party Data provides the SOR additional BSA data through\n    external data sources such as the financial institution\n    identification number assigned by the Federal Reserve.\n\n\xe2\x80\xa2   Bulk Data Dissemination is used for the distribution of large\n    quantities of BSA data to external users.\n\n\xe2\x80\xa2   Data Conversion project converted 11 years of BSA data from\n    the IRS\xe2\x80\x99s legacy system to the FinCEN\xe2\x80\x99s new SOR.\n\n\xe2\x80\xa2   BSA E-Filing is used by BSA filers to submit all required\n    electronic filing of BSA forms to FinCEN.\n\n\xe2\x80\xa2   FinCEN Query is a tool designed to improve authorized users\xe2\x80\x99\n    ability to access and analyze BSA data. The tool will be used by\n    FinCEN internal users and by registered external users and\n    customers to retrieve and analyze BSA data. The tool is to\n    support traditional structured BSA data queries, and provide\n    narrative search capabilities and options to coordinate and\n    collaborate with users on queries performed.\n\n\xe2\x80\xa2   Advanced Analytics provides complex search and retrieval\n    functionality for FinCEN internal users to support their\n    analytical, law enforcement, and regulatory activities. The tool\n    is to provide advanced analytical capabilities such as geospatial,\n    statistical analysis, social networking, semantic interchange,\n    and visualization capabilities.\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with       Page 22\nSchedule Extensions (OIG-13-036)\n\x0c                         Appendix 3\n                         Additional Background Information on BSA IT Mod\n\n\n\n                         \xe2\x80\xa2   Register User Portal/Identity Management/Access Control\n                             Management provides the means for common user interface and\n                             authentication process through which both internal and external\n                             authorized users will gain access to all future BSA IT Mod\n                             applications.\n\n                         \xe2\x80\xa2   Infrastructure provided the design, development, procurement,\n                             and implementation of the development and test environments,\n                             storage area network(s), and disaster recovery capabilities\n                             required to support the other BSA IT Mod projects.\n\n                         \xe2\x80\xa2   Broker Information Exchange provides content management and\n                             collaboration support for internal and external users. The 314A\n                             component allows law enforcement agencies to submit requests\n                             through FinCEN to financial institutions for information about\n                             financial accounts and transactions of persons or businesses\n                             that may be involved in terrorism or money laundering. The\n                             314B component allows financial institutions to share\n                             information with one another through FinCEN to identify and\n                             report suspicious money laundering or terrorist activities to the\n                             federal government. 314A and 314B refer to Section 314 of the\n                             USA Patriot Act that requires FinCEN of establish these\n                             functionalities. 11 The project is ongoing as of December 2012.\n\n                         \xe2\x80\xa2   Alerts provides for an automatic alert to be sent to FinCEN\n                             analysts about suspicious activities reported by filers based on\n                             pre-defined criteria. The project is ongoing as of December\n                             2012.\n\n                         Baseline Change of the Bank Secrecy Act Information Technology\n                         Modernization Program (BSA IT Mod)\n\n                         Our first audit found the Financial Crimes Enforcement Network\n                         (FinCEN) was reporting that as of May 2011, the 4-year, $120\n                         million, BSA IT Mod was on schedule and within an acceptable 10\n                         percent cost threshold. At that time, we found the program to be\n                         generally within scheduled milestones, though certain projects had\n                         exceeded scheduled milestones by 10 percent.\n\n\n\n11\n     Section 314 of the USA Patriot Act is established under 31 U.S.C. \xc2\xa7 5311.\n\n\n                         FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with      Page 23\n                         Schedule Extensions (OIG-13-036)\n\x0cAppendix 3\nAdditional Background Information on BSA IT Mod\n\n\nIn June 2011, FinCEN adjusted selected project milestone schedule\ndates and realigned costs to keep the overall program on track. The\nbaseline change resulted in no increase to overall costs and no\nextension to the 4-year program schedule. However, a major\nadjustment was made to the Contractor Services budget, which\nwas increased by approximately $12.7 million dollars or 37\npercent. This budget increase was offset by a reduction to the\nbudgets for Other and Operations and Maintenance costs. Table 1\ndisplays the impact the baseline change had on the major program\nelements.\n\nTable 1: BSA IT Mod Program Baseline Change, May 2010 to\nJune 2011 (in millions)\n                                  May 2010             June 2011\nElement                           Initial Plan   Baseline Change         Change\nHardware and Software                  $16.8               $16.8             $0\nContractor Services                      34.2               46.9           12.7\nOther                                    22.7               19.3           (3.4)\nOperations and Maintenance               46.9               37.6           (9.3)\nTotal                                 $120.6              $120.6             $0\nSource: OIG review of FinCEN data. FinCEN staff costs are not included in the\nabove cost estimates.\n\nContractor Services was increased to provide additional iterations\nto the building and testing of the system of record (SOR) and other\nprojects that had to be changed because of the changes to the\nSOR. Increased data conversion testing was required because of\nthe volume and complexity of the data and business rules, and to\nensure that the integration, system performance, and data integrity\nwas correct.\n\nBSA IT Mod Budget Reallocation\n\nSince BSA IT Mod baseline change in June 2011, the budget for\nthe major program elements have been reallocated with no increase\nto BSA IT Mod\xe2\x80\x99s total planned cost. Table 2 displays the budget\nchanges.\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                       Page 24\nSchedule Extensions (OIG-13-036)\n\x0c                       Appendix 3\n                       Additional Background Information on BSA IT Mod\n\n\n\n\n                      Table 2: BSA IT Mod Program Budget Change, June 2011 to October 2012\n                      (in millions)\n                                                             June 2011           October 2012\n                       Element                          Baseline Change         Current Budget        Change\n                       Hardware and Software                      $16.8                  $16.8             $0\n                       Contractor Services                         46.9                   50.5            3.6\n                       Other                                       19.3                   17.0          (2.3)\n                       Operations and Maintenance                  37.6                   36.3          (1.3)\n                       Total                                     $120.6                 $120.6             $0\n                       Source: OIG review of FinCEN data. FTEs are not included in the above cost estimates.\n\n                       The allocation for contractor services was increased $3.6 million to\n                       address additional costs for work related to the following projects:\n                       (1) FinCEN Query, (2) release 2 of the System of Record,\n                       (3) Shared Filing Services, and (3) Third-Party Data and Bulk Data\n                       Dissemination.\n\n                       Contractors Engaged by FinCEN\n\n                       In March 2008, FinCEN awarded a 5-year indefinite delivery,\n                       indefinite quantity (IDIQ) contract to BearingPoint, Inc., to support\n                       a full range of information technology services, custom\n                       applications, maintenance support, and infrastructure support\n                       necessary to implement the FinCEN IT operational objectives.\n                       Numerous task orders have been issued against the contract\n                       including those for the BSA IT Mod program. 12 The contract was\n                       subsequently transferred to Deloitte Consulting, LLP (Deloitte). 13\n                       The contract ceiling is a maximum of $144 million and a minimum\n                       of $1 million over the contract\xe2\x80\x99s 5-year life. FinCEN also contracted\n                       with MITRE Corporation (MITRE) at a cost of approximately $1.5\n                       million to provide management guidance, coordination, and\n\n\n\n\n12\n   An IDIQ contract provides for an indefinite quantity of services during a fixed period of time. This\ntype of contract is used when it cannot be predetermined, above a specified minimum, the precise\nquantities of supplies or services that the government will require during the contract period. IDIQ\ncontracts are most often used for service contracts and architect-engineering services. An IDIQ contract\nis flexible, especially when not all the requirements are known at the start of a contract and is\nconducive to a modular approach, which would be one with phases or milestones.\n13\n   The IDIQ contract was transferred from BearingPoint, Inc. to Deloitte on October 1, 2009 after\nDeloitte purchased substantially all of the assets of Bearing Point, Inc., Public Service Division.\n\n\n                       FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                       Page 25\n                       Schedule Extensions (OIG-13-036)\n\x0c                      Appendix 3\n                      Additional Background Information on BSA IT Mod\n\n\n                      evaluation support for BSA IT Mod. 14 MITRE is a subject matter\n                      expert on program and project management, and BSA IT Mod\n                      business capabilities.\n\n                      FinCEN is using the Acquisitions Services Directorate of the U.S.\n                      Department of the Interior as the contract office to administer the\n                      contract. FinCEN chose this office because of its prior experience\n                      handling large, complex procurements.\n\n\n\n\n14\n  MITRE is a not-for-profit organization chartered to work in the public interest with expertise in\nsystems engineering, information technology, operational concepts, and enterprise modernization.\nAmong other things, it manages federally funded research and development centers, including one for\nIRS and U.S. Department of Veterans Affairs (the Center for Enterprise Modernization). Under\nTreasury\xe2\x80\x99s existing contract with MITRE, Treasury and its bureaus, with permission of the IRS sponsor,\nmay contract for support in the following task areas: strategic management, technical management,\nprogram and project management, procurement, and evaluation and audit to facilitate the modernization\nof systems and their business and technical operation.\n\n\n                      FinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with                Page 26\n                      Schedule Extensions (OIG-13-036)\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with   Page 27\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 4\nManagement Response\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with   Page 28\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 5\nMajor Contributors to this Report\n\n\n\n\nBoston Office\n\nMark Ossinger, Audit Manager\nKenneth O\xe2\x80\x99Loughlin, Auditor-in-Charge\nRichard Wood, Auditor\n\nWashington, D.C.\n\nRobert Kohn, Referencer\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with   Page 29\nSchedule Extensions (OIG-13-036)\n\x0cAppendix 6\nReport Distribution\n\n\n\n\nDepartment of the Treasury\n\n   Deputy Secretary\n   Under Secretary for Terrorism and Financial Intelligence\n   Chief Information Officer\n   Office of Strategic Planning and Performance Management\n   Office of the Deputy Chief Financial Officer, Risk and Control\n       Group\n\nFinancial Crimes Enforcement Network\n\n   Director\n\nOffice of Management and Budget\n\n   OIG Budget Examiner\n\nU.S. Senate\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\nU.S. House of Representatives\n\n   Chairman and Ranking Member\n   Committee on Appropriations\n\n   Chairman and Ranking Member\n   Subcommittee on Financial Services and General Government\n   Committee on Appropriations\n\n\n\n\nFinCEN\xe2\x80\x99s BSA IT Modernization Program Met Milestones with     Page 30\nSchedule Extensions (OIG-13-036)\n\x0c"